Windows (windblows) password audit notes

Posted date:2017-06-30

Well, it’s that time of the year/quarter/month…. whatever policy you have on performing the password audit… Some of my notes are from references that are a few years old, so not sure if they will be around much longer, I hope so, they have good info. Keep in mind I am using kali 2017.1 for my fun today.

First Windows password audit, or as I call it, Windblows Password Audit.

Retrieve the ntds.dit and SYSTEM file: – notes from https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html
- C:\>ntdsutil
- ntdsutil: Activate Instance ntds
- ntdsutil: ifm
- ifm: create full c:\cool-pass-pentest-audit
- ifm: quit
- ntdsutil: quit
copy the c:\cool-pass-pentest-audit folder to your kali box
install the libesedb-utils
- apt install libesedb-utils
export the ntds tables – notes from https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html
- esedbexport -m tables ntds.dit
- (this may take a while…a long while)
Now we need to extract the hashes….
- currently I am using this: https://github.com/csababarta/ntdsxtract
  - git clone https://github.com/csababarta/ntdsxtract.git
- python ntdsxtract/dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.6 hashdumpwork –syshive SYSTEM –passwordhashes –lmoutfile lm-out.txt –ntoutfile nt-out.txt –pwdformat ocl
Now we can do some cracking, using hashcat (since I like to use GPUs)
- We will start with the rockyou.txt.gz wordlist that came with my kali install
  - cd /usr/share/wordlists; gunzip rockyou.txt.gz; cd –
  - hashcat -a 0 -m 1000 –username hashdumpwork/nt-out.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule
    - I like to use most of the rule sets that come with the hashcat install on kali, I tend to get a bit of success with the different ones, but I will just give the example using the rockyou-30000.rule
you want to see what passwords you got when it is over? just do the same hashcat command but add the –show flag in there and presto!